Kb143

Emulab FAQ: Testbed Operations: How does account freezing work?

Emulab FAQ: Testbed Operations: How does account freezing work?

We guard against DoS and password attacks, since fundamentally we care about protecting ourselves, and if we shut off more than one user temporarily, that seems okay. Our users are unlikely to be sharing the same proxy (IP) at the same time, along with someone launching an attack.

Both user and IP prevention are implemented, involving a couple of slots in the users table and a table for IPs.

Basically, if a valid uid is provided (in the users table), then I freeze the account after 4 failures in the last minute. In other words, a couple failures is harmless, and is aged out quickly. Its a rapid burst of failures that will cause the login to be frozen.

Then, for any failure, I allow 8 failures in the last two minutes from the same IP. Again, its a burst of failures that will cause the IP to be blocked, not single failures over time.